Implementing Security

A necessary prerequisite to the implementation of any security within a
project is the creation of a login page to authenticate users.

To create a security login page:

Select the Login Page from the Home tab.

If you want to add a login form to an existing page, you can use the Authentication
Builder to create the form within the page. Once you have a login page
in the project, you can configure the project security settings.

Project Security Settings

To setup security for a project:

You need to specify the database table and fields that contain the user
information. This is done using the Security and Security Groups sections of
the Project Settings windows.

In the Security section, you have to specify the database table that
contains the user details as well as the fields within the table that
contain particular information. This information includes:

the ID field which holds the unique ID for each user,

the login and password fields which contains the username/password
combination to be used during authentication and optionally,

a group level field which indicates the group to which each user
belongs.

By clicking the "Advanced..." button you can open the Advanced
Security Settings dialog where you can configure additional parameters,
such as the names of session variables associated with an authenticate user,
password encryption, and the 'Remember Me' feature.

By default, session variables are created for the User ID Variable, User
Login Variable and Group ID Variable only. If other session variables are to be
used you need to write custom code for them. Please see the Create
Custom Session Variables example.

Security Groups

If the site users are categorized into different groups, you can use the
Security Groups section to setup group ID's and names. The Group ID values
should correspond to the database field that specifies the group to which each
user belongs.

The group ID's are setup in a hierarchical manner such that users with a
higher group ID have more security clearance than users with a lower ID. If this
is the case, you can check the Higher Level Inclusive of Lower Levels checkbox
so that users with a higher group ID can access all the pages that are
accessible by users with a lower group ID.

You can uncheck the Higher Level Inclusive of Lower Levels checkbox if you
want each group ID to be strictly allowed to access pages designated for that
group only. In this case, a user with a group ID such as 3 will not be able to
access a page designated for any other group ID.

Page Level Security

You can specify the users who are allowed to access a page by using the
Restricted property of the page in the page Properties window. When the
Restricted property is set to No, all users can access the page without having
to login.

If the Restricted property is set to Yes, you can click [...] next
to the property to further specify the groups that are allowed to access the
page.

The Page Security Groups window shows the various groups that are
currently setup and allows you to specify which groups should be able to
access the page. For instance, users belonging to the Admin group can access
the page but not users belonging to the User group. You can also click on
the Groups... button to add new groups.

Form Level Security

Apart from setting security at the page level, you can also set form level
security. This is done using the Restricted property of the form.

Click [...] next to the Restricted property to set the groups that
should be allowed to access the form. The extent to which the groups can be
configured depends on the type of form.

In the case of record forms, you can set group access based on the
different operations that can be performed in a record form. The four
operations are Read, Insert, Update, and Delete. A group with Full access is
able to perform all the four operations.

When setting security at the form or the page level, note that giving
access to all groups is not the same as not setting any security at all. If
all groups have access, each member of any of the groups is still required
to login. This means that people who are not registered in the database will
not be able to access the form or page.